Setting up guest WLAN on a dumb AP

Hi everyone,

I am trying to setup a wireless network for guests.
The following sketch shows what I would like to achieve:

The modem by my ISP is basically doing nothing except being connected to the internet.
Unfortunately I cannot bridge this modem.

My router is running openWRT v19.07.0-rc2.
Currently the private WLAN is working fine, I get a DHCP IP in the 192.168.1.xxx range and I can
browse the internet.

However I would like to have a seperate WLAN for guests in the 192.168.2.xxx range.
I set up a second WLAN AP with DHCP enabled on it.
When I connect to the 'guest-wifi' I do get an IP address in the 192.168.2.xxx range.
However I don't have access to the internet.

I tried following the following articles:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface
https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/

and I had a look at an article:
steven-england.info/2014/11/01/openwrt-how-to-create-a-public-network-without-using-the-wan-interface/
which isn't quite the same setup.

I tried pretty much all the firewall configurations mentioned in those articles but to no avail.
If anyone has any ideas that would be much appreciated!

Dumb AP is AP, which bridges wireless and wired interfaces. So you need Dumb AP on one wireless interface, and Routed AP on another: https://openwrt.org/docs/guide-user/network/wifi/routedap Your manual is very outdated, screens are from ancient version of Luci. German manual is good, but I don't understand Deutsch, sorry.

@ulmwind thank you very much for your contribution.
The manual from the official openWRT using the GUI is very outdated indeed.
Unfortunately not much else to work with.

I will try the routed AP for the second wireless interface and report back.
Thank you!

You should do it step-by-step:

  1. Create wireless interface, set up IP, DHCP, and make sure it works (you can connect to it and ping router's IP without access to any resources).
  2. Configure firewall zone for it and forwarding to wan zone, now check Internet connectivity.

So I started from scratch, removed all my previous attempts basically.

I did the following:

  1. Add new wireless network
  2. Make a guest ESSID
  3. Attach this wireless network to guest interface (which I needed to create)
  4. Went to guest interface and change protocol to static address
  5. Changed ipv4 address to 192.168.2.1
  6. Changed netmask to 255.255.255.0
  7. Also set up DHCP server
  8. Applied all changes and restarted router

I connected to this 'guest' ssid and I can ping 192.168.2.1 and I can ping 192.168.1.253.
DCHP is working fine, plus my private WLAN is still working.

Now at firewall:

  1. I added a new zone setting
  2. Input - Accept, output- accept, forward - reject.
  3. Covered network set to guest
  4. Allow forward to destination zone: Wan
  5. Again reload firewall (also dnsmasq and network just in case)

Reconnected to guest wifi and tried pinging.
192.168.2.1 works
192.168.1.253 works
8.8.8.8 does not work

Also I tried forward to destination zone: lan
and both lan and wan.
Neither work

Can you ping 192.168.1.254?

No, I cannot ping 192.168.1.254 from 192.168.2.xxx.
Even if I have wifi => wan + lan forwarding

I can ping other devices on 192.168.1.xxx from 192.168.2.xxx .

It is rather strange. Can you ping 192.168.1.254 from command line of router itself?

Yes, that works fine from the command line on the router.
I can also ping 192.168.1.254 from my device connected to 192.168.1.xxx.

OK, please, provide /etc/config/wireless, /etc/config/network, /etc/config/firewall Do you have wan or lan zone for Dumb AP?

/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ar934x_wmac'
        option htmode 'HT20'
        option legacy_rates '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'redacted'
        option ssid 'redacted'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'redacted'
        option encryption 'psk2'
        option ssid 'redacted'

config wifi-iface 'wifinet0'
        option ssid 'guestwifi'
        option encryption 'none'
        option device 'radio0'
        option mode 'ap'
        option network 'wifi'

/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd7:5dd9:e7ea::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        list ipaddr '192.168.1.253/24'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '5 4 3 2 0t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t'

config interface 'wifi'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '10206'
        option name 'qB'
        option src_dport '10206'
        option target 'DNAT'
        option dest_ip '192.168.1.10'
        option dest 'lan'
        option proto 'tcp'
        option src 'lan'

config zone
        option input 'ACCEPT'
        option name 'wifi'
        option output 'ACCEPT'
        option network 'wifi'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'wifi'

config forwarding
        option dest 'wifi'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'wifi'

I am not sure with what you mean with wan or lan zone for the dumb ap
I do have a lan => wan + wifi and wan => reject zones set up.
The wan and lan zone were standard on there.

OK, in configuration from initial state my question is not applicable, it makes sense only in Dumb AP being already configured. I don't know, why it doesn't work, please, write option src before option dest in config forwarding. There is also strange option

option gateway '192.168.1.254'

in lan configuration.

Swapping dest and src and restarting firewall had not effect.
the

option gateway '192.168.1.254'

is there for the dumb AP to work.

I tried removing it and restarted network.
This caused me to be unable to ping anything on the outside (from my 192.168.1.xxx connected devices)

Step 3 when configuring via the GUI
https://openwrt.org/docs/guide-user/network/wifi/dumbap
Except that my 'dumb ap' does have dhcp enabled.

Got it. Now your router is configured as Dumb AP. So it is connected to main router via lan interface. The problem is in 'masq' option for this interface. Clients of guest wireless interface should use masquerading, so you should set 'masq' to 1 for lan interface. I don't know effect on Dumb AP operation. So you should enable 'wifi'->'lan' forwarding (already done), and set 'masq' to 1 for lan zone.

2 Likes

You're a saint!
it worked, thank you so much!

I don't know what masquerading does, I will have to read up on that.

You are welcome! Masquerading changes IP address of sender by IP address of router itself. So router remembers in its table port number, and changes IP of reverse packet correspondingly.

1 Like

Thanks again!
Took the whole weekend to get it working, just had to tick 'masq' on lan.
Unbelievable ^^"

Now to play around with the firewall to isolate things

p.s. I want to add this to the official openWRT wiki, would calling it " Configure a guest WLAN on a Dumb AP" be the correct title for it?

At your disposal, to my mind it is correct. Sorry, why whole weekend, if your first message is dated 3 hours before?

I started trying to set it up on Friday evening.
Then spent most of Saturday on it.
After spending a good chunk of today on it, I decided to ask the community for help.
And there you were ;)!

For anyone stumbling upon this thread:
to finish up the firewall to isolate guests completely

add the following to /etc/config/firewall

config rule
        option src 'guest'
        option dest 'lan'
        option name 'Disable Guest LAN Access'
        option proto 'all'
        option dest_ip '192.168.1.0/24'
        option target 'DROP'

config rule
        option src 'guest'
        option target 'DROP'
        option dest_port '80'
        option proto 'tcp udp'
        option name 'Disable Guest AP HTTP Access'

config rule
        option proto 'tcp udp'
        option name 'Disable Guest AP SSH Access'
        option src 'guest'
        option dest_port '22'
        option target 'DROP'

The first rule disables people on the guest network (192.168.2.xxx) to access anything on the private network (192.168.1.xxx)
The second rule disables access to the router from the guest network.
The third rules disables ssh access to the router from the guest network.

A writeup has been added to the official openWRT documentation
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-dumbap

Unfortunately I don't have the rights to add pictures, otherwise I'd also show how to do it via the LuCI webinterface.

1 Like